Ubuntu.comUB:CVE-2021-23336CVE-2021-23336
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:P/A:P
0.001 Low
EPSS
Percentile
49.1%
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before
3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are
vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and
urllib.parse.parse_qs by using a vector called parameter cloaking. When the
attacker can separate query parameters using a semicolon (;), they can
cause a difference in the interpretation of the request between the proxy
(running with default configuration) and the server. This can result in
malicious requests being cached as completely safe ones, as the proxy would
usually not see the semicolon as a separator, and therefore would not
include it in a cache key of an unkeyed parameter.
Bugs
Notes
| Author | Note |
|---|---|
| mdeslaur | fixing this in stable releases will break compatibility with existing applications. Marking as low priority. We may decide not to fix this at all in stable releases in the future. |
| rodrigo-zaiden | Decided not to fix. The proposed fixes could possibly break existing python packages in Ubuntu. There are known regressions to this CVE, such as: https://giters.com/scrapy/w3lib/issues/164 |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | python-django | < 1:1.11.11-1ubuntu1.11 | UNKNOWN |
| ubuntu | 20.04 | noarch | python-django | < 2:2.2.12-1ubuntu0.4 | UNKNOWN |
| ubuntu | 20.10 | noarch | python-django | < 2:2.2.16-1ubuntu0.2 | UNKNOWN |
| ubuntu | 21.04 | noarch | python-django | < 2.2.19-1 | UNKNOWN |
| ubuntu | 21.10 | noarch | python-django | < 2.2.19-1 | UNKNOWN |
| ubuntu | 22.04 | noarch | python-django | < 2.2.19-1 | UNKNOWN |
| ubuntu | 22.10 | noarch | python-django | < 2.2.19-1 | UNKNOWN |
| ubuntu | 23.04 | noarch | python-django | < 2.2.19-1 | UNKNOWN |
| ubuntu | 23.10 | noarch | python-django | < 2.2.19-1 | UNKNOWN |
| ubuntu | 20.04 | noarch | python3.9 | < 3.9.5-3~20.04.1 | UNKNOWN |
References
github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 (master)
github.com/python/cpython/pull/24297
launchpad.net/bugs/cve/CVE-2021-23336
nvd.nist.gov/vuln/detail/CVE-2021-23336
security-tracker.debian.org/tracker/CVE-2021-23336
snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933
ubuntu.com/security/notices/USN-4742-1
www.cve.org/CVERecord?id=CVE-2021-23336
www.djangoproject.com/weblog/2021/feb/19/security-releases/
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:P/A:P
0.001 Low
EPSS
Percentile
49.1%